With the creation of business-related WhatsApp groups becoming something of a norm in today’s digitally-connected society, Simone Dickson, Director within the Technology and Sourcing practice at commercial law firm Cliffe Dekker Hofmeyr, says that businesses need to be especially aware of the inherent data security risks associated with using these social platforms.
“As is the case with any social media platform today, businesses and their employees need to exercise discretion in what information is shared and made available, also ensuring that the host or provider of the social media platform has taken security measures acceptable to the business and appropriate to the risk. Awareness of who the business is actually engaging with is critical.”
Cyber breaches are a real risk, she explains, referring to the World Economic Forum 2018 Global Risks Report, which ranks large scale cyberattacks and major data breaches or fraud among top five most likely risks in next 10 years. “On an international level, UK market research company, Ipsos MORI undertook a cyber-security breaches survey in 2017 and identified that 46% of UK business experienced cybersecurity breaches in the last 12 months.
“There have also been a number of data breaches either in South Africa or affecting South African users which have hit the headlines as of late,” she adds. “The potential risks to businesses affected include damage to reputation, loss of shareholder and customer confidence, business interruption, loss of competitive edge, loss or damage to technology and infrastructure, possible regulatory scrutiny, fines and penalties and costs to remedy the breach.”
When asked what legal recourse is currently available locally, Dickson says that businesses would generally need to rely on common law remedies in the event of a breach, although this would need to be assessed on a case-by-case basis. “Whilst the Protection of Personal Information Act, No. 4 of 2013 (POPI) and Cybercrimes and Cybersecurity Bill (Bill) do introduce statutory measures which will assist businesses in legal recourse in the event of cyber breaches, neither of these are fully in effect as yet.”
As such, she urges business owners to undertake effective due diligence on service providers providing them with social media platforms and online services. “This includes assessing levels of data security and deciding whether the platform is appropriate in the context for which it is going to be used.
“In the context of WhatsApp in particular, whilst this may be used effectively as a business tool, it is still ultimately user-based and not centrally controlled by the business itself. Accordingly, the rules of engagement and employee policies must be clearly established upfront. It is also essential to determine where data is to be hosted to consider which data protection laws are in place in the relevant jurisdiction.
“Where sensitive business data is shared via a social media platform (including any backups of such data), this should be subject to stringent security measures. Due to the prevalence of cybersecurity risk, this should be a board level agenda item with a dedicated focus. Businesses should also formulate a breach response plan in order to be fully prepared in the event of a data breach so as to allow for pro-active management rather than crisis driven responses,” Dickson explains.
She adds that data breaches are unfortunately inevitable and it is up to business to be aware of inherent risks and take pro-active steps to mitigate these risks. “Awareness and education is critical,” she says.